One advantage of wireless is the ability to transmit data among users in a common area while remaining mobile. However, the distance between participants is ...
Mitigating Routing Misbehavior in Mobile Ad Hoc Networks Sergio Marti, T.J. Giuli, Kevin Lai, and Mary Baker Department of Computer Science Stanford University Stanford, CA 94305 U.S.A {smarti,giuli,laik,mgbaker}@stanford.edu
ABSTRACT
Ad hoc networks have a wide array of military and commercial applications. Ad hoc networks are ideal in situations where installing an infrastructure is not possible because the infrastructure is too expensive or too vulnerable, the network is too transient, or the infrastructure was destroyed. For example, nodes may be spread over too large an area for one base station and a second base station may be too expensive. An example of a vulnerable infrastructure is a military base station on a battlefield. Networks for wilderness expeditions and conferences may be transient if they exist for only a short period of time before dispersing or moving. Finally, if network infrastructure has been destroyed due to a disaster, an ad hoc wireless network could be used to coordinate relief efforts. Since DARPA's P R N E T [13], the area of routing in ad hoc networks has been an open research topic.
This paper describes two techniques that improve throughput in an ad hoc network in the presence of nodes that agree to forward packets but fail to do so. To mitigate this problem, we propose categorizing nodes based upon their dynamically measured behavior. We use a watchdog that identifies misbehaving nodes and a patl~rater that helps routing protocols avoid these nodes. Through simulation we evaluate watchdog and pathrater using packet throughput, percentage of overhead (routing) transmissions, and the accuracy of misbehaving node detection. When used together in a network with moderate mobility, the two techniques increase throughput by 17% in the presence of 40% misbehaving nodes, while increasing the percentage of overhead transmissions from the standard routing protocol's 9% to 17%. During extreme mobility, watchdog and pathrater can increase network throughput by 27%, while increasing the overhead transmissions from the standard routing protocol's 12% to 24%.
1.
Ad hoc networks maximize total network throughput by using all available nodes for routing and forwarding. Therefore, the more nodes that participate in packet routing, the greater the aggregate bandwidth, the shorter the possible routing paths, and the smaller the possibility of a network partition. However, a node may misbehave by agreeing to forward packets and then failing to do so, because it is overloaded, selfish, malicious, or broken. An overloaded node lacks the CPU cycles, buffer space or available network bandwidth to forward packets. A selfish node is unwilling to spend battery life, CPU cycles, or available network bandwidth to forward packets not of direct interest to it, even though it expects others to forward packets on its behalf. A malicious node launches a denial of service attack by dropping packets. A broken node might have a software fault that prevents it from forwarding packets.
INTRODUCTION
There will be tremendous growth over the next decade in the use of wireless communication, from satellite transmission into many homes to wireless personal area networks. As the cost of wireless access drops, wireless communications could replace wired in many settings. One advantage of wireless is the ability to transmit data among users in a common area while remaining mobile. However, the distance between participants is limited by the range of transmitters or their proximity to wireless access points. Ad hoc wireless networks mitigate this problem by allowing out of range nodes to route data through intermediate nodes.
Misbehaving nodes can be a significant problem. Our simulations show that if 10%-40% of the nodes in the network misbehave, then the average throughput degrades by 16%32%. However, the worst case throughput experienced by any one node may be worse than the average, because nodes that try to route through a misbehaving node experience high loss while other nodes experience no loss. Thus, even a few misbehaving nodes can have a severe impact.
Permissionto make digital o1"hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributedfor profit o1"commercialadvantageand that copies bear this notice and the full citation on the first page. To copy otherwise, to republish,to post on servensor to redistributeto lists, requires prior specific permissionand/or a fee. MOBICOM 2000 Boston MA USA Copyright ACM 2000 1-58113-197-6/00/08...$5.00
255
One solution to misbehaving nodes is to forward packets only through nodes t h a t share an a priori trust relationship. A priori trust relationships are based on pre-existing relationships built outside of the context of the network (e.g. friendships, companies, and armies). The problems with relying on a priori trust-based forwarding are t h a t 1) it requires key distribution, 2) trusted nodes may still be overloaded, 3) trusted nodes may still be broken, 4) trusted nodes may be compromised, and 5) untrusted nodes may be well behaved. It may not be possible to exchange keys used to authenticate trusted nodes outside of the ad hoc network before the conference or disaster t h a t requires an ad hoc network. If keys are not distributed ahead of time, then enforcing a priori trust-based forwarding requires a secure channel for key exchanges within the ad hoc network for authentication. Even if keys can be exchanged, a trusted node's security may be compromised, or a trusted node may be overloaded or broken as mentioned above. Finally, although relying on a priori trust-based forwarding reduces the number of misbehaving nodes, it also excludes untrusted well behaved nodes whose presence could improve ad hoc network performance.
17%. During extreme mobility, watchdog and p a t h r a t e r increase network throughput by 27%, while increasing percentage of overhead transmissions from 12% to 24%. describe mechanisms to reduce this overhead in Section
can the We 6.
The remainder of this paper is organized as follows. Section 2 specifies our assumptions about ad hoc networks and gives background information about DSR. Section 3 describes the watchdog and p a t h r a t e r extensions. Section 4 describes the methodology we use in our simulations and the metrics we use to evaluate the results. We present these results in Section 5. Sections 6 and 7 present related work and future work, respectively. Finally, Section 8 concludes the paper.
2.
ASSUMPTIONS AND BACKGROUND
This section outlines the assumptions we make regarding the properties of the physical and network layers of ad hoc networks and includes a brief description of DSR, the routing protocol we use.
2.1
Definitions
We use the term neighbor to refer to a node t h a t is within wireless transmission range of another node. Likewise, neighborhood refers to all the nodes t h a t are within wireless transmission range of a node.
Another solution to misbehaving nodes is to a t t e m p t to forstall or isolate these nodes from within the actual routing protocol for the network. However, this would add significant complexity to protocols whose behavior must be very well defined. In fact, current versions of m a t u r e ad hoc routing algorithms, including D S R [12], AODV [7], T O R A [5l, DSDV [19], STAR [9], and others [16] only detect if the receiver's network interface is accepting packets, b u t they otherwise assume t h a t routing nodes do not misbehave. Although trusting all nodes to be well behaved increases the number of nodes available for routing, it also admits misbehaving nodes to the network.
2.2
Physical Layer Characteristics
Throughout this paper we assume bidirectional communication s y m m e t r y on every link between nodes. This means that if a node B is capable of receiving a message from a node A at time t, then node A could instead have received a message from node B at time L This assumption is often valid, since many wireless MAC layer protocols, including IEEE 802.11 and M A C A W [2], require bidirectional communication for reliable transmission. The watchdog mechanism relies on bidirectional links.
In this paper we explore a different approach, and install ext r a facilities in the network to to detect and mitigate routing misbehavior. In this way, we can make only minimal changes to the underlying routing algorithm. We introduce two extensions to the Dynamic Source Routing algorithm (DSR) [12] to mitigate the effects of routing misbehavior: the watchdog and the pathratcr. The watchdog identifies misbehaving nodes, while the p a t h r a t e r avoids routing packets through these nodes. W h e n a node forwards a packet, the node's watchdog verifies t h a t the next node in the path also forwards the packet. The watchdog does this by listening promiscuously to the next node's transmissions. If the next node does not forward the packet, then it is misbehaving. The p a t h r a t e r uses this knowledge of misbehaving nodes to choose the network p a t h t h a t is most likely to deliver packets.
In addition, we assume wireless interfaces t h a t support promiscuous mode operation. Promiscuous mode means t h a t if a node A is within range of a node B, it can overhear communications to and from B even if those communications do not directly involve A. Lucent Technologies' WaveLAN interfaces have this capability. While promiscuous mode is not appropriate for all ad hoc network scenarios (particularly some military scenarios) it is useful in other scenarios for improving routing protocol performance [12].
2.3
Dynamic Source Routing (DSR)
D S R is an on-demand, source routing protocol. Every packet has a route path consisting of the addresses of nodes t h a t have agreed to participate in routing the packet. The protocol is referred to as "on-demand" because route paths are discovered at the time a source sends a packet to a destination for which the source has no path.
Using the ns network simulator [8], we show that the two techniques increase throughput by 17% in the presence of up to 40% misbehaving nodes during moderate mobility, while increasing the ratio of overhead transmissions to d a t a transmissions from the s t a n d a r d routing protocol's 9% to
We divide D S R into two main functions: route discovery
256
®
0
0 @ O
®
F i g u r e 2: W h e n B f o r w a r d s a p a c k e t f r o m S t o w a r d D t h r o u g h C, A c a n o v e r h e a r B ' s t r a n s m i s s i o n a n d can verify that B has a t t e m p t e d to pass the packet t o C. T h e solid l i n e r e p r e s e n t s t h e i n t e n d e d d i r e c t i o n o f t h e p a c k e t s e n t b y B t o C, w h i l e t h e d a s h e d l i n e i n d i c a t e s t h a t A is w i t h i n t r a n s m i s s i o n r a n g e o f B and can overhear the packet transfer.
0 0
.....
and route maintenance. Figure 1 illustrates route discovery. Node S (the source) wishes to communicate with node D (the destination) but does not know any paths to D. S initiates a route discovery by broadcasting a ROUTE REQUEST packet to its neighbors that contains the destination address D. The neighbors in t u r n append their own addresses to the ROUTE REQUEST packet and rebroadcast it. This process continues until a ROUTE REQUESTpacket reaches D. D must now send back a route reply packet to inform S of the discovered route. Since the ROUTE REQUEST packet that reaches D contains a path from S to D, D may choose to use the reverse path to send back the reply (bidirectional links are required here) or to initiate a new route discovery back to S. Since there can be many routes from a source to a destination, a source may receive multiple route replies from a destination. DSR caches these routes in a route cache for future use.
O
(a)
(b)
The second main function in DSR is route maintenance, which handles link breaks. A link break occurs when two nodes on a path are no longer in transmission range. If an intermediate node detects a link break when forwarding a packet to the next node in the route path, it sends back a message to the source notifying it of that link break. The source must try another path or do a route discovery if it does not have another path. 3. WATCHDOG AND PATHRATER In this section we present the watchdog and the pathrater - - tools for detecting and mitigating routing misbehavior. We also describe the limitations of these methods. Though we implement these tools on top of DSR, some of our concepts can be generalized to other source routing protocols. We note those concepts that can be generalized during our descriptions of the techniques.
(c) F i g u r e 1: E x a m p l e o f a ROUTE REQUEST. (a) N o d e S s e n d s o u t a ROUTE REQUEST p a c k e t t o f i n d a p a t h t o n o d e D. (b) T h e ROUTE REQUEST is f o r w a r d e d t h r o u g h o u t t h e n e t w o r k , e a c h n o d e a d d i n g its add r e s s t o t h e p a c k e t . (c) D t h e n s e n d s b a c k a ROUTE REPLY t o S u s i n g t h e p a t h c o n t a i n e d i n o n e o f t h e ROUTE REQUEST p a c k e t t h a t r e a c h e d it. T h e t h i c k l i n e s r e p r e s e n t t h e p a t h t h e ROUTE REPLY t a k e s b a c k to the sender.
3.1 Watchdog The watchdog method detects misbehaving nodes. Figure 2 illustrates how the watchdog works. Suppose there exists a path from node S to D through intermediate nodes A, B, and C. Node A cannot transmit all the way to node C, but it can listen in on node B's traffic. Thus, when A transmits a packet for B to forward to C, A can often tell if B transmits the packet. If encryption is not performed separately for each link, which can be expensive, then A can also tell if B has tampered with the payload or the header.
257
®
®
the only reason B would have for taking the actions t h a t it does is because it is malicious. B wastes b a t t e r y power and CPU time, so it is not selfish. An overloaded node would not engage in this behavior either, since it wastes badly needed CPU time and bandwidth. Thus, this second case should be a rare occurrence.
F i g u r e 3: N o d e A d o e s n o t h e a r B f o r w a r d p a c k e t 1 t o C~ b e c a u s e B ' s t r a n s m i s s i o n c o l l i d e s at A w i t h p a c k e t 2 f r o m t h e s o u r c e S.
®
l @-,.....
~
l ~ , Z
2
Another problem can occur when nodes falsely report other nodes as misbehaving. A malicious node could a t t e m p t to partition the network by claiming t h a t some nodes following it in the p a t h are misbehaving. For instance, node A could report t h a t node B is not forwarding packets when in fact it is. This will cause S to m a r k B as misbehaving when A is the culprit. This behavior, however, will be detected. Since A is passing messages on to B (as verified by S), then any acknowledgements from D to S will go through A to S, and S will wonder why it receives replies from D when supposedly B dropped packets in the forward direction. In addition, if A drops acknowledgements to hide t h e m from S, then node B will detect this misbehavior and will report it to D.
®
F i g u r e 4: N o d e A b e l i e v e s t h a t B h a s f o r w a r d e d p a c k e t 1 o n t o C, t h o u g h C n e v e r r e c e i v e d t h e p a c k e t d u e t o a c o l l i s i o n w i t h p a c k e t 2.
We implement the watchdog by maintaining a buffer of recently sent packets and comparing each overheard packet with the packet in the buffer to see if there is a match. If so, the packet in the buffer is removed and forgotten by the watchdog, since it has been forwarded on. If a packet has remained in the buffer for longer than a certain timeout, the watchdog increments a failure tally for the node responsible for forwarding on the packet. If the tally exceeds a certain threshold bandwidth, it determines t h a t the node is misbehaving and sends a message to the source notifying it of the misbehaving node.
Another problem is t h a t a misbehaving node t h a t can control its transmission power can circumvent the watchdog. A node could limit its transmission power such t h a t the signal is strong enough to be overheard by the previous node but too weak to be received by the true recipient. This would require t h a t the misbehaving node know the transmission power required to reach each of its neighboring nodes. Only a node with malicious intent would behave in this manner - - selfish nodes have nothing to gain since b a t t e r y power is wasted and overloaded nodes would not relieve any congestion by doing this.
The watchdog technique has advantages and weaknesses. D S R with the watchdog has the advantage that it can detect misbehavior at the forwarding level and not just the link level. Watchdog's weaknesses are t h a t it might not detect a misbehaving node in the presence of 1) ambiguous collisions, 2) receiver collisions, 3) limited transmission power, 4) false misbehavior, 5) collusion, and 6) partial dropping.
Multiple nodes in collusion can mount a more sophisticated attack. For example, B and C from Figure 2 could collude to cause mischief. In this case, B forwards a packet to C but does not report to A when C drops the packet. Because of this limitation, it may be necessary to disallow two consecutive untrusted nodes in a routing path. In this paper, we only deal with the possibility of nodes acting alone. The harder problem of colluding nodes is being studied by Johnson at CMU [13].
The ambiguous collision problem prevents A from overhearing transmissions from B. As Figure 3 illustrates, a packet collision can occur at A while it is listening for B to forward on a packet. A does not know if the collision was caused by B forwarding on a packet as it should or if B never forwarded the packet and the collision was caused by other nodes in A ' s neighborhood. Because of this uncertainty, A should not immediately accuse B of misbehaving, but should instead continue to watch B over a period of time. If A repeatedly fails to detect B forwarding on packets, then A can assume t h a t B is misbehaving.
Finally, a node can circumvent the watchdog by dropping packets at a lower rate than the watchdog's configured minimum misbehavior threshold. Although the watchdog will not detect this node as misbehaving, this node is forced to forward at the threshold bandwidth. In this way the watchdog serves to enforce this minimum bandwidth.
In the receiver collision problem, node A can only tell whether B sends the packet to C, b u t it cannot tell if C receives it (Figure 4). If a collision occurs at C when B first forwards the packet, A only sees B forwarding the packet and assumes t h a t C successfully receives it. Thus, B could skip retransmitting the packet and leave A none the wiser. B could also purposefully cause the t r a n s m i t t e d packet to collide at C by waiting until C is transmitting and then forwarding on the packet. In the first case, a node could be selfish and not want to waste power with retransmissions. In the latter case,
The watchdog mechanism could be used to some degree to detect replay attacks b u t would require maintaining a great deal of state information at each node as it monitors its neighbors to ensure t h a t they do not retransmit a packet t h a t they have already forwarded. Also, if a collision has taken place at the receiving node, it would be neccesary and correct for a node to retransmit a packet, which m a y appear as a
258
incorrect accusation it would be preferrable if it were not permanently excluded from routing. Therefore nodes t h a t have negative ratings should have their ratings slowly increased or set back to a non-negative value after a long timeout. This is not implemented in our simulations since the current simulation period is too short to reset a misbehaving node's rating. Section 5.3 discusses the effect on throughput of accusing well-behaving nodes.
replay attack to the node acting as its watchdog. Therefore, detecting replay attacks would neither be an efficient nor an effective use of the watchdog mechanism. For the watchdog to work properly, it must know where a packet should be in two hops. In our implementation, the watchdog has this information because DSR is a source routing protocol. If the watchdog does not have this information (for instance if it were implemented on top of a hop-by-hop routing protocol), then a malicious or broken node could broadcast the packet to a non-existant node and the watchdog would have no way of knowing. Because of this limitation, the watchdog works best on top of a source routing protocol.
When the p a t h r a t e r learns t h a t a node on a p a t h t h a t is in use misbehaves, and it cannot find a p a t h free of misbehaving nodes, it sends out a ROUTE REQUEST if we have enabled an extension we call Send Route Request (SRR).
4. 3.2
METHODOLOGY
In this section we describe our simulator, simulation parameters, and measured metrics.
Pathrater
The pathrater, run by each node in the network, combines knowledge of misbehaving nodes with link reliability d a t a to pick the route most likely to be reliable. Each node maintains a rating for every other node it knows about in the network. It calculates a p a t h metric by averaging the node ratings in the path. We choose this metric because it gives a comparison of the overall reliability of different paths and allows p a t h r a t e r to emulate the shortest length p a t h algorithm when no reliability information has been collected, as explained below. If there are multiple paths to the same destination, we choose the p a t h with the highest metric. Note that this differs from standard DSR, which chooses the shortest p a t h in the route cache. Further note that since the p a t h r a t e r depends on knowing the exact path a packet has traversed, it must be implemented on top of a source routing protocol.
We use a version of Berkeley's Network Simulator (ns) [8] that includes wireless extensions made by the CMU Monarch project. We also use a visualization tool from CMU called ad-hockey [25] to view the results of our simulations and detect overall trends in the network. To execute the simulations, we use PCs (450 or 500 MHz Pentium IIIs with at least 128 MB of RAM) running Red Hat Linux 6.1. Our simulations take place in a 670 by 670 meter flat space filled with a scattering of 50 wireless nodes. The physical layer and the 802.11 MAC layer we use are included in the CMU wireless extensions to ns[3].
4.1
Movement and Communication Patterns
The nodes communicate using 10 constant bit rate (CBR) node-to-node connections. Four nodes are sources for two connections each, and two nodes are sources for one connection each. Eight of the flow destinations receive only one flow and the ninth destination receives two flows. The communication p a t t e r n we use was developed by CMU [3].
The p a t h r a t e r assigns ratings to nodes according to the following algorithm. W h e n a node in the network becomes known to the p a t h r a t e r (through route discovery), the pathrater assigns it a "neutral" rating of 0.5. A node always rates itself with a 1.0. This ensures that when calculating path rates, if all other nodes are neutral nodes (rather than suspected misbehaving nodes), the p a t h r a t e r picks the shortest length path. The p a t h r a t e r increments the ratings of nodes on all actively used paths by 0.01 at periodic intervals of 200 ms. An actively used p a t h is one on which the node has sent a packet within the previous rate increment interval. The m a x i m u m value a neutral node can attain is 0.8. We decrement a node's rating by 0.05 when we detect a link break during packet forwarding and the node becomes unreachable. The lower bound rating of a "neutral" node is 0.0. The p a t h r a t e r does not modify the ratings of nodes t h a t are not currently in active use. We assign a special highly negative value, - 1 0 0 in the simulations, to nodes suspected of misbehaving by the watchdog mechanism. W h e n the p a t h r a t e r calculates the path metric, negative p a t h values indicate the existence of one or more suspected misbehaving nodes in the path. If a node is marked as misbehaving due to a t e m p o r a r y malfunction or
259
In all of our node movement scenarios, the nodes choose a destination and move in a straight line towards the destination at a speed uniformly distributed between 0 meters/second (m/s) and some maximum speed. This is called the random waypoint model [3]. We limit the maximum speed of a node to 20 m / s (10 m / s on average) and we set the run-time of the simulations to 200 seconds. Once the node reaches its destination, it waits for the pause time before choosing a random destination and repeating the process. We use pause times of 0 and 60 seconds. In addition we use two different variations of the initial node placement and movement patterns. By combining the two pause times with two movement patterns, we obtain four different mobility scenarios.
4.2
Misbehaving Nodes
Of the 50 nodes in the simulated network, some variable percentage of the nodes misbehave. In our simulations, a mis-
[
behaving node is one that agrees to participate in forwarding packets (it appends its address into ROUTE REQUEST packets) but then indiscriminately drops all data packets that are routed through it.
I
75.2% 73.9%
paths when all known paths include a suspected misbehaving node. Each of the following sections includes two graphs of simulation results for two separate pause times. The first graph is for a pause time of 0 (the nodes are in constant motion) and the second is for a pause time of 60 seconds before and in between node movement. We simulate two different node mobility patterns using four different pseudo-random number generator seeds. The seeds determine which nodes misbehave. We plot the average of the eight simulations.
Metrics
5.1
We evaluate our extensions using the following three metrics:
Network Throughput
We graph four curves for network throughput: everything enabled, watchdog and pathrater enabled, only pathrater enabled, and everything disabled. We choose to graph both everything enabled and everything enabled except SRR, because we want to isolate performance gains or problems caused by extra route requests. Since the pathrater is not strictly a tool to be used for circumventing misbehaving nodes, we choose to include the graph where only pathrater is enabled to determine if it increases network throughput without any knowledge of suspected misbehaving nodes. We do not graph watchdog and S t ~ activated without pathrater, since without pathrater the information about misbehaving nodes would not be used for routing decisions.
Throughput: This is the percentage of sent data packets actually received by the intended destinations. Overhead: This is the ratio of routing-related transmissions (ROUTE REQUEST, ROUTE REPLY, ROUTE ERROR, and watchdog) to data transmissions in a simulation. A transmission is one node either sending or forwarding a packet. For example, one packet being forwarded across 10 nodes would count as 10 transmissions. We count transmissions instead of packets because we want to compare routing-related transmissions to data transmissions, but some routing packets are more expensive to the network than other packets: ROUTE REQUEST packets are broadcast to all neighbors which in turn broadcast to all of their neighbors, causing a tree of packet transmissions. Unicast ROUTE REPLY, ROUTE ERROR, watchdog, and data packets only travel along a single path.
Figure 5 shows the total network throughput, calculated as the fraction of data packets generated that are received, versus the fraction of misbehaving nodes in the network for the combinations of extensions. In the case where the network contains no misbehaving nodes, all four curves achieve around 95% throughput. After the 0% misbehaving node case, the graphs diverge.
Effects of watchdog false positives on network throughput. False positives occur when the watchdog mechanism reports that a node is misbehaving when in fact it is not, for reasons discussed in Section 3. We study the impact of this on throughput.
5.
88.6% 95.0%
Table 1: M a x i m u m and m i n i m u m n e t w o r k t h r o u g h put o b t a i n e d b y a n y s i m u l a t i o n at 40~0 m i s b e h a v i n g n o d e s w i t h all features enabled.
We vary the percentage of the network comprised of misbehaving nodes from 0% to 40% in 5% increments. While a network with 40% misbehaving nodes may seem unrealistic, it is interesting to study the behavior of the algorithms in a more hostile environment than we hope to encounter in real life. We use Tcl's [17] built-in pseudo-random number generator to designate misbehaving nodes randomly. We use the same seed across the 0% to 40% variation of the misbehaving nodes parameter, which means that the group of misbehaving nodes in the 10% case is a superset of the group of misbehaving nodes in the 5% case. This ensures that the obstacles present in lower percentage misbehaving node runs are also present in higher percentage misbehaving node runs.
4.3
I Maximum [ Minimum
[ 0 second pause time I 60 second pause time
As expected, the simulations with all three extensions active perform the best by a considerable margin as misbehaving nodes are added to the network. The mechanisms increase the throughput by up to 27% compared to the basic protocol, maintaining a throughput greater than 80% for both pause times, even with 40% misbehaving nodes. Table 1 lists the maximum and minumum throuput achieved in any simulation run at 40% misbehaving nodes with all options enabled.
SIMULATION RESULTS
In this section we present the results of our simulations. We focus on three metrics of evaluation: network throughput, routing overhead, and the effects of false positives on throughput.
When a subset of the extensions is active, performance does not increase as much over the simulations with no extensions. Watchdog alone does not affect routing decisions, but it supplies pathrater with extra information to combat misbehaving nodes more effectively. When watchdog is deactivated,
We test the utility of various combinations of our extensions: watchdog (WD), pathrater (PR), and send (extra) route request (SRP~). We use the SRR extension to find new
260
0 second pause time 60 second pause time
Maximum 31.3% 23.5%
Minimum 18.9% 11.0%
Table 2: M a x i m u m a n d m i n i m u m o v e r h e a d o b t a i n e d by a n y simulation at 40% m i s b e h a v i n g n o d e s with all features enabled.
.--_=
° I
I o.e i ~
the source node has no way of detecting the misbehaving node in its path to the destination, and so its transmission flow suffers total packet loss. Pathrater alone cannot detect a path with misbehaving nodes to decrement its rate (see Section 7).
.
""~~~_~
.............
One effect of the randomness of ns is that nodes may receive route replies to their route requests in a different order in one simulation than in another simulation with slightly varied parameters. This change can result in a node choosing a path with a misbehaving node in one run, but not choosing that path in a simulation with more misbehaving nodes in the network. This may actually result in slight increases in network throughput when the number of misbehaving nodes increases. For instance, this is noticeable in the pathrateronly curve of Figure 5 (b) where the throughput raises from 82% to 84% between 20% and 25% misbehaving nodes.
0.4
2 0.2
I
0.1
t 0.2 FtacUonof mlsl~hav~g
WD.,ON ,PR..ON ,SRR.,ON ,PR,.ON .SRR=.OFF ---x--WD..OFF.PR=ON ,SRR,.OFF ---~--WD=,OFF,PR=OFF,SRR=,OFF ...--B--0.3 0.4 0.5
(a) 0 second pause time
In both throughput graphs, the everything disabled curve and the pathrater only curves closely follow each other. From the graphs we conclude that the pathrater alone does not significantly affect performance. In Section 7 we suggest some improvements to the pathrater that may increase its utility in the absence of the other extensions.
0.8 J
J i
0.6
5.2
"6 0.4
0.2
0
0'.1
012 Fraction ol mls~havlng
Routing Overhead
For routing overhead, we graph four curves: everything on, pathrater and watchdog on, only watchdog on (watchdogonly), and everything off. Using the everything off graph as our basis for comparison, we graph the watchdog-only curve to find the overhead generated just by the watchdog when it sends notifications to senders. The watchdog and pathrater curve shows the overhead added by watchdog and pathrater but with pathrater's ability to send out extra route requests disabled. The everything on curve includes the overhead created by pathrater when sending out extra route requests.
WI~ON .PR=ON ,SRR=ON WDfON ,PR,-ON .SRR=OFF ---x--W[~fOFF,PR,.ON .SRR=OFF ---a"WD=OFF.PR=OFF, ISRR,OFF ---la-0.3 0.4 0.5 nodes
(b) 60 second pause time
Figure 6 shows the amount of overhead incurred by activating the different routing extensions. The greatest effect on routing overhead results from using the SKI{ feature, which sends out route requests for a destination to which the only known routes include suspected misbehaving nodes. For 40% misbehaving nodes in the high mobility scenario, the overhead rises from 12% to 24% when SRR is activated in the pathrater. Any route requests generated by SRR will flood the network with ROUTE REQUESTand ROUTE REPLYpackets, which greatly increase the overhead. Table 2 lists the maximum and minimum overhead for any of the simulations
F i g u r e 5: Overall n e t w o r k t h r o u g h p u t as a function of t h e f r a c t i o n o f m i s b e h a v i n g n o d e s in t h e network.
261
with all options enabled at 40% misbehaving nodes.
1
The watchdog mechanism itself only adds a very small amount of extra overhead as seen by comparing the watchdog-only graph with the all-disabled graph. Also, the a d d e d overhead is not affected by the increase in misbehaving nodes in the network. Using both the watchdog and p a t h r a t e r mechanisms increases the throughput of the network by 16% at 40% misbehaving nodes with only 6% additional network overhead (see Figure 6 (a)).
,PR-ON .~;RR-ON WD~ON ,PR~ON ,SRR~[~F"F---x--WO~.ON ,PR~OFF,SRR~OFF-.-~,--WD.OFF.PR,.OFF.SRR.OFF
0.8
Though the overhead added by these extensions is significant, especially when p a t h r a t e r sends out route requests to avoid misbehaving nodes, these extensions still improve net throughput. Therefore, the main concerns with high overhead involve issues such as increased b a t t e r y usage on portables and PDAs. Since the largest factor accounting for the overhead is route requests, the overhead can be significantly reduced by optimizing the delay between p a t h r a t e r sending out route requests and incorporating some of the approaches developed for mitigating route requests and broadcast storms in general [1, 4, 14].
0.6
I
0.4
0.2 "~
~,=
..... . _ "
,
oi~
..~.-:..-:.-.'=.-:-=.~...
0~ Fraction(~ m l ~
---::..-=:..
....:...::
013
I
0,
0.5
node8
(a) 0 second pause time
5.3
Effects of False Detection
We compare simulations of the regular watchdog with a watchdog t h a t does not report false positives. Figure 7 shows the network throughput lost by the watchdog incorrectly reporting well-behaved nodes. These results show t h a t throughput is not appreciably affected by false positives and t h a t they may even have beneficial side effects, as described below.
~ND-ON ,PR-ON ,~;RR-ON WD,.ON ,PR~ON .SRR~OFF ---x--WD~ON ,PR-OFF,SRR..OFF -*-~--" WD-OFF,PR-OFF.SRR,.OFF 0.8
0.6
The similarity in throughput can be a t t r i b u t e d to a few factors. First, the nodes incorrectly reported as misbehaving could have moved out of the previous node's listening range before forwarding on a packet. If these nodes move out of range frequently enough to warrant an accusation of misbehavior they may be unreliable due to their location, and the source would be better off routing around them. The fact t h a t more false positives are reported in the 0 second pause time simulations as compared to the 60 second pause time simulations, as shown in Table 3, supports this conclusion. Table 3 shows the average value of false positives reported by the simulation runs for each pause time and misbehaving node percentage.
| ~) 0.4
0.2
o0
i 01
' 0.2 0i3 Fraction of misbehavl~ nodes
' 0.4
0,5
(b) 60 second pause time
Figure 6: This figure shows routing overhead as a ratio of routing packet transmissions to data packet transmissions. This ratio is plotted against the fraction o f m i s b e h a v i n g nodes.
Another factor t h a t may account for the similar throughput of the watchdog's performance with and without false positives concerns one of the limitations of the watchdog. As described in Section 3, if a collision occurs while the watchdog is waiting for the next node to forward a packet, it may never overhear the packet being transmitted. If many collisions occur over time, the watchdog may incorrectly assume t h a t the next node is misbehaving. However, if a node constantly experiences collisions, it may actually increase throughput to route packets around areas of high communication density.
262
Percent misbehaving nodes 0 second pause time 60 second pause time
0%
[ 5%
10%
15%
20%
25%
30%
131102182.890.366.575.560.867.531.350.8 . 57.6 40.8 63.1 35.7 79.5 46.7
35%
40%
21.7
47.2
T a b l e 3: C o m p a r i s o n o f t h e n u m b e r o f f a l s e p o s i t i v e s b e t w e e n t h e 0 s e c o n d a n d 60 s e c o n d p a u s e t i m e s i m u l a t i o n s . A v e r a g e t a k e n f r o m t h e s i m u l a t i o n s w i t h all f e a t u r e s e n a b l e d . Yet another factor is that increased false positives will result in more paths including a suspected misbehaving node. The p a t h r a t e r will then send out more route requests to the destination. This increases the overhead in the network, but it also provides the sending node with a fresher list of routes for its route cache. .> 0.8
6.
i 0.6 15 8 ~ 0.4 ~ o.~ 0
I 0
0.1
,.
No False Positives Regular Watchdoq
02 0.3 Fraction of misbehaving nodes
0.4
i ---x---
,
RELATED W O R K
To our knowledge, there is no previously published work on detection of routing misbehavior specific to ad hoc networks, although there is relevant work by Smith, Murthy and Garcia-Luna-Aceves on securing distance vector routing protocols from Byzantine routing failures [22]. In their work, they suggest countermeasures to secure routing messages and routing updates. This work may be applicable to ad hoc networks in that distance vector routing protocols, such as DSDV, have been proposed for ad hoc networks. 0.5
Zhou and Haas investigate distributed certificate authorities in ad hoc networks using threshold cryptography[27]. Zhou and Haas take the view t h a t no one single node in an ad hoc network can be trusted due to low physical security and low availability. Therefore, using a single node to provide an important network-wide service, such as a certificate authority, is very risky. Threshold cryptography allows a certificate anthority's private key to be broken up into shares and distributed across multiple nodes. To sign a certificate, a subset of the nodes with private key shares must jointly collaborate. Thus, to mount a successful attack on the certificate authority, an intruder must compromise multiple nodes.
(a) 0 second pause time
~
" 0.8
0.6 "6
8
To further frustrate attack a t t e m p t s over time, Zhou and Haas' scheme uses share refreshing. It is possible that over a long period of time enough share servers could be compromised to recover the certificate authority's secret key. Share refreshing allows uncompromised servers to compute a new private key periodically from the old private key's shares. This periodic refreshing means t h a t an attacker must infiltrate a large number of nodes within a short time span to recover the certificate authority's secret key.
0.4
,c ~ 0.2 0
0
I 0.1
,
No False Positives R?gutar Watchdo~
0.2 0.3 Fraction of misbehaving nodes
0.4
a ---x--0.5
(b) 60 second pause time
Stajano and Anderson [23] elucidate some of the security issues facing ad hoc networks and investigate ad hoc networks composed of low compute-power nodes such as home appliances, sensor networks, and P D A s where full public key cryptography may not be feasible. The authors develop a system in which a wireless device "imprints" itself on a master device, accepting a symmetric encryption key from the first device that sends it a key. After receiving t h a t key, the
F i g u r e 7: C o m p a r i s o n o f n e t w o r k t h r o u g h p u t bet w e e n t h e regular w a t c h d o g and a w a t c h d o g that rep o r t s no false positives;
263
slave device will not recognize any other device as a master except the device t h a t originally sent it the key. The authors bring up an interesting denial of service attack: the battery drain attack. A misbehaving node can mount a denial-ofservice attack against another node by routing seemingly legitimate traffic through the node in an a t t e m p t to wear down the other node's batteries.
7.
Ad hoc networks are an increasingly promising area of research with practical applications, b u t they are vulnerable in many settings to nodes t h a t misbehave when routing packets. For robust performance in an untrusted environment, it is necessary to resist such routing misbehavior. In this paper we analyze two possible extensions to D S R to mitigate the effects of routing misbehavior in ad hoc networks - the watchdog and the pathrater. We show t h a t the two techniques increase throughput by 17% in a network with moderate mobility, while increasing the ratio of overhead transmissions to d a t a transmissions from the standard routing protocol's 9% to 17%. During extreme mobility, watchdog and p a t h r a t e r can increase network throughput by 27%, while increasing the percentage of overhead transmissions from 12% to 24%.
FUTURE WORK
This paper presents initial work in detecting misbehaving nodes and mitigating their performance impact in ad hoc wireless networks. In this section we describe some further ideas we would like to explore. We plan on conducting more rigorous tests of the watchdog and p a t h r a t e r parameters to determine optimal values to increase throughput in different situations. Currently we are experimenting with different watchdog thresholds for deciding when a node is misbehaving. Some of the variables to optimize for the p a t h r a t e r include the rating increment and decrement amounts, the rate incrementing interval, and the delay between sending out route requests to decrease the overhead caused by this feature.
These results show t h a t we can gain the benefits of an increased number of routing nodes while minimizing the effects of misbehaving nodes. In addition we show t h a t this can be done without a prior/trust or excessive overhead.
9.
ACKNOWLEDGEMENTS
We would like to t h a n k Diane Tang, Petros Maniatis, Mema Roussopoulos, and Ed Swierk for their comments on drafts of this paper. We would also like to t h a n k Dan Boneh for his help in early discussions of this work. This work was supported in part by a generous gift from N T T Mobile Communications Network, Inc. (NTT DoCoMo). In addition, Sergio Marti was supported by a National Defense Science and Engineering G r a d u a t e Fellowship.
Our simulations use scenarios in which there are no a priori trust relationships, b u t we expect the performance of p a t h r a t e r to increase when it can make use of explicitly trusted nodes. Trusted node lists are available in some ad hoc network scenarios, and we would like to analyze the performance of our routing extensions in these scenarios. Currently the p a t h r a t e r only decrements a node's rating when another node tries unsuccessfully to send to it or if the watchdog mechanism is active and determines t h a t a node is misbehaving. W i t h o u t the watchdog active, the p a t h r a t e r cannot detect misbehaving nodes. An obvious enhancement would be to receive updates from a reliable transport layer, such as TCP, when ACKs fail to be received. This would allow the p a t h r a t e r to detect b a d paths and lower the nodes' ratings accordingly.
10. REFERENCES [11 S. Basagni and et al. A
Distance Routing Effect Algorithm for Mobility (DREAM). In Proceedings of
the Fourth Annual ACM//IEEE International Conference on Mobile Computing and Networking (MOBICOM '98), October 1998.
!2 ] V. Bharghavan, A. Demers, S. Shenker, and L. Zhang. MACAW: A Medium Access Protocol for Wireless LANs. In Proceedings of ACM SIGCOMM '9~, August 1994.
All the simulations presented in this paper use CBR d a t a sources with no reliability requirements. Our next goal is to analyze how the routing extensions perform with T C P flows common to most network applications. Our focus would then change from measuring throughput, or dropped packets, to measuring the time to complete a reliable transmission, such as an F T P transfer. For these tests the modification to p a t h r a t e r described above should improve performance significantly in the case where the watchdog is not active.
[31
J. Broch, D. A. Maltz, D. B. Johnson, Y. C. Hu, and J. Jetcheva. A Performance Comparison of Multi-Hop Wireless A d Hoc Network Routing Protocols. In
Proceedings of the Fourth Annual ACM/IEEE International Conference on Mobile Computing and Networking (MOBICOM '98), October 1998.
[41 R. Castaneda and S. R. Das. Query Localization
Finally, we would like to evaluate the watchdog and p a t h r a t e r considering latency in addition to throughput.
Techniques for On-Demand Routing Protocols in Ad Hoc Networks. In Proceedings of the Fifth Annual
8.
1999.
ACM/IEEE International Conference on Mobile Computing and Networking (MOBICOM '99), August
CONCLUSION
264
[17] J. K. Ousterhout. Tcl and the Tk Toolkit. Addison-Wesley, 1994.
[5] S. Corson and V. Park. Temporally-Ordered Routing Algorithm (TORA) Version 1 Functional Specification.
Mobile Ad-hoc Network (MANET} Working Group, IETF, October 1999.
[18] S. H. Park, A. Ganz, and Z. Ganz. Security protocol for IEEE 802.11 wireless local area network. Mobile Networks and Applications. Vol. 3. 1998.
[6] B. P. Crow, I. K. Widjaja, G. Jeong, and P. T. SakaL IEEE-802.11 Wireless local Area Networks. IEEE Communications Magazine, vol. 35, No.9: pages 116-126, September 1997.
[19] C.E. Perkins and P. Bhagwat. Highly Dynamic Destination-Sequenced Distance-Vector Routing (DSDV) for Mobile Computers. In Proceedings of the
SIGCOMM '94 Conference on Communications Architectures, Protocols and Applications, pages 234-244, August 1994.
[7] S. Dos, C. E. Perkins and E. M. Royer. Ad Hoc On Demand Distance Vector (AODV) Routing (Internet-Draft). Mobile Ad-hoc Network (MANET) Working Group, IETF, October 1999.
[20] R. Prakash. Unidirectional Links Prove Costly in Wireless Ad Hoc Networks. In Proceedings of DIMA CS Workshop on Mobile Networks and Computers, 1999.
[8] K. Fall and K. Varadhan, editors, ns notes and documentation. The VINT Project, UC Berkeley, LBL, USC/ISI, and Xerox PARC, July 1999. Available from http://www-mash, ca. berkeley, edu/ns/.
[21] B. Smith and J.J. Garcia-Luna-Aceves. Efficient Security Mechanisms for the Border Gateway Routing Protocol. Computer Communications (Elsevier), Vol. 21, No. 3: pp. 203-210, 1998, .
[9] J.J. Garcia-Luna-Aceves and M. Spohn. Source-Tree Routing in Wireless Networks. In Proceedings IEEE
ICNP 99: 7th International Conference on Network Protocols, Toronto, Canada, October 31-November 3, 1999.
[22] B. Smith, S. Murthy, and J.J. Garcia-Luna-Aceves. Securing Distance-Vector Routing Protocols. In
Proceedings of Internet Society Symposium on Network and Distributed System Security, San Diego, CA, February 1997.
[10] J.J. Garcia-Luna-Aceves, Marcelo Spohn, and David Beyer. Source Tree Adaptive Routing (STAR) Protocol (Internet-Draft). Mobile Ad hoc Network (MANET} Working Group, IETF, October 1999.
[23] F. Stajano and R. Anderson. The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks. B. Christianson, B. Crispo, and M. Roe (Eds.)., Security Protocols, 7th International Workshop Proceedings, Lecture Notes in Computer Science, 1999.
[11] P. Johansson and T. Larsson. Scenario-Based Performance Analysis of Routing Protocols for Mobile Ad-Hoc Networks. In Proceedings of the Fifth Annual
A CM/1EEE International Conference on Mobile Computing and Networking (MOBICOM '99), August 1999.
[24] D. G. Stinson. Cryptography: Theory and Practice. CRC Press, 1995.
[12] D. Johnson, D. A. Maltz, and 3. Broch. The Dynamic Source Routing Protocol for Mobile Ad Hoe Networks (Internet-Draft). Mobile Ad-hoc Network (MANET) Working Group, IETF, October 1999.
[25] The CMU Monarch Project. The CMU Monarch Projects Wireless and Mobility Extensions to ns. h t t p : / ] ~ . m o n a r c h . es. emu. edu/cmu-ns, html. Oct. 12, 1999.
D. Johnson. Personal Communication. February 2000.
[261 C.-K. Toh. Associativity Based Routing For Ad-Hoc Mobile Networks. Wireless Personal Communications
Journal, Special Issue on Mobile Networking and Computing Systems, Vol. 4, No. 2, pp.103-139, March 1997.
[13] J. Jubin and J. Tornow. The DARPA Packet Radio Network Protocols. In Proceedings of the IEEE, 75(1):21-32, 1987. [14] Y.-B. Ko and N. H. Vaidya. Location-Aided Routing (LAR) in Mobile Ad Hoc Networks. In Proceedings of
[27] L. Zhou and Z. J. Haas. Securing Ad Hoc Networks. IEEE Network Magazine, vol. 13, no.6, November/December 1999.
the Fourth Annual A CM/IEEE International Conference on Mobile Computing and Networking (MOBICOM '98), October 1998. [15] Y.-B. Ko and N. H. Vaidya. Geocasting in Mobile Ad Hoc Networks: Location-Based Multicast Algorithms. WMCSA '99, New Orleans. [16] IETF MANET Working Group Internet Drafts. h t t p ://www. i e t f . org/ids, by. wg/manet, html.
265
